General

  • Target

    57175fa35ac08e8e169ec8082748b2f377f3b5f4b7065dc907dd9ee150398afd

  • Size

    104KB

  • Sample

    220725-a4ervsgaam

  • MD5

    855b19d8c6791b0d53c03603b3542fd0

  • SHA1

    bd7fc4630317287fdad539a50a718fe2c3ff5b4c

  • SHA256

    57175fa35ac08e8e169ec8082748b2f377f3b5f4b7065dc907dd9ee150398afd

  • SHA512

    441f20520328fa83ac3aa3b7a8c4a1260f23ba694f5c29f5cc17204d7ed1cdf3a9ad5dfe07f6635611f91f60bf294e0927059433d1dc5b87bc04486916bfb48a

Malware Config

Extracted

Family

lokibot

C2

http://www.agricomimpex.com/aspnet_client/system_web/fix/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      57175fa35ac08e8e169ec8082748b2f377f3b5f4b7065dc907dd9ee150398afd

    • Size

      104KB

    • MD5

      855b19d8c6791b0d53c03603b3542fd0

    • SHA1

      bd7fc4630317287fdad539a50a718fe2c3ff5b4c

    • SHA256

      57175fa35ac08e8e169ec8082748b2f377f3b5f4b7065dc907dd9ee150398afd

    • SHA512

      441f20520328fa83ac3aa3b7a8c4a1260f23ba694f5c29f5cc17204d7ed1cdf3a9ad5dfe07f6635611f91f60bf294e0927059433d1dc5b87bc04486916bfb48a

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks